The European Union's General Data Protection Regulation (GDPR) began enforcement on May 25, 2018. Is your organization prepared?
Has your inbox been flooded with updated privacy policies from your Internet accounts like Google, Facebook, and LinkedIn? The massive new regulation directly affects all European Union (EU)* citizens, regardless of where they are living. The GDPR could have a huge impact on how your organization is required to protect an individual's data, even if you are not based in the European Union (EU). There is a massive $24 million penalty for non-compliance.
What is it?
It is the EU's new and expanded data privacy law, replacing the designed to protect consumers in the current era of cyber attacks and data leaks. It essentially moves away from "privacy by default," increases security rules on how companies manage data, and allows individual more control over personal data.
Data related to a natural person can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. It will now be necessary to document a data entrustment and storage agreement before using your system.
How does this affect your organization inside and outside the EU?
You may surprised how likely the GDPR will affect you even if you are not in the EU. The biggest change is the extended jurisdiction of the GDPR, as it applies to all organizations processing the personal data of data EU subjects, regardless of the organization’s location and regardless of where citizens are based. In addition, if your organization supports businesses that have customers who are EU subjects, then your organization is required to be in compliance.
What is my organization’s responsibility in handling data?
Individuals have been accorded more privacy rights concerning their data. Companies are only allowed to collect data if they have a "lawful basis," which could mean a legal agreement or explicit consent of the individual. The consent must be in plain language and clearly identified; no more hiding in "Terms and Conditions" legalese. It must be as easy to withdraw consent as it is to give it. In addition, there needs to be clear transparency to the individual, as to what the data is being used for; electronic copies of the data must be provided upon request. They are also to give that data to anyone they choose.
Individuals have the right to be forgotten by withdrawing consent or directly requiring you to delete the data. They can ask you to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent; this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Your organization needs to be in compliance with how you secure the data and cannot hold on to the data longer than necessary. You must comply (outside of health care and law enforcement, etc.) when the individual requests their data be deleted. In addition, you are required to provide documentation of how data is handled and report data breaches to authorities within 72 hours of discovery.
Companies can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Companies may very well be required to have a designated data protection officer (DPO) who manages the internal record keeping requirements; mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
How Extended DISC is GDPR compliant
Extended DISC has been preparing for the GDPR since it was published in 2016. We are in compliance with the GDPR, including individuals right to access data, right to rectify inaccurate data, right to erase data (‘right to be forgotten’), right to restriction of processing, and right to data portability.
We have performed the extensive data audits as required by the GDPR to ensure that not only does our assessment platform fulfill all technical and documentation requirements, but that our organization meets the GDPR requirements. Our assessment platform, the FinxS System and our organization, in the role of the data processor, complies with the GDPR requirements, including the GDPR principles of:
- Integrity and confidentiality
- Lawfulness, fairness and transparency
- Purpose limitation
- Data accuracy and minimization
- Storage limitation
- Accountability
- Data risk and impact assessment
There are numerous, stringent data security and technical requirements that an assessment system must meet in order to be GDPR compliant. In addition, the assessment system must be able to document all activities such as recording all login attempts, deletion of data, data security measures, etc. Of course, the system must be able to document that a respondent has provided the lawful basis to collect any data in the first place.
How about the EU-US Privacy Shield Certification enough? Is it enough for GDPR compliance?
Many U.S.-based companies mistakenly think the EU-US Privacy Shield is simply a mechanism that enables participating companies to meet the EU requirements for transferring personal data from EU to the US, but it is not. In order to be GDPR compliant, data processors such as assessment tool providers must follow much stricter regulations to avoid potentially very costly consequences for their clients.
*The EU countries include Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and currently, the United Kingdom.